You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SQL injection - CVE-2018-17232
When searching the archive user input is used directly to create an SQL query. This can be exploited to view all messages, including messages from private channels the user is not a member of. Potentially exploitable to gain Remote Code Execution (RCE) depending on the configuration of the server.
Information disclosure.
If a user searches for a phrase that has been posted in a private channel the user is not a member of, the bot returns nothing rather than "No results found". This leaks to the user that the phrase has been said.
The text was updated successfully, but these errors were encountered:
SQL injection - CVE-2018-17232
When searching the archive user input is used directly to create an SQL query. This can be exploited to view all messages, including messages from private channels the user is not a member of. Potentially exploitable to gain Remote Code Execution (RCE) depending on the configuration of the server.
Information disclosure.
If a user searches for a phrase that has been posted in a private channel the user is not a member of, the bot returns nothing rather than "No results found". This leaks to the user that the phrase has been said.
The text was updated successfully, but these errors were encountered: